In the first installment of this series I discussed the need for organizations to change their approach to cyber security to an “assumption of breach model,” or an understanding that in today’s threat landscape, it is unrealistic to thwart 100 percent of malicious attacks. That previous post also mentioned that this new approach should focus primarily on three foundational elements:
For the second part of this series, let’s tackle the first element. Who exactly are we talking about when we discuss people? The easiest way to break down the individuals who can potentially impact security in an organization—and to determine how best to utilize each as a security asset —is to categorize them in four groups:
IT practitioners: Your internal IT team interfaces with the various technologies in your organization every day. Depending on the size of your organization you might have one—or in rare cases a few—IT staffers dedicated to security, but in most cases it will be one responsibility among many others for these practitioners. If we look at the current threat landscape as a battlefield, these are your soldiers; they need high-quality training to be effective, specifically on how to operate security systems and solutions that the organization has purchased.
As you’ll see as this series progresses, each of the three foundational elements is tied to the other two, and this is especially true with regard to IT practitioners. In most instances these individuals will also be charged with leveraging the organization’s processes and technologies, so it is critical that they have the requisite training and knowledge.
Employees: These are the workers who use business applications as part of their day-to-day responsibilities. They are not IT professionals and likely aren’t thinking about cyber security other than when they hear about a high-profile breach on the news. For that reason, these people are an organizations’ most significant vulnerability and must be protected by our systems and receive cyber security training.
Former FBI Computer Intrusion Unit head Don Codling recently said at a seminar that “savvy, well-meaning employees can be fooled into doing something to allow attacks access to company networks,” citing an example in which an employee clicks an email that appears to be a subpoena from his or her personal attorney. This example illustrates that without an understanding of what to look for, these employees can be an almost insurmountable vulnerability. But those same well-meaning employees Codling mentioned, if educated properly, can turn from your biggest weakness to your greatest strength.
Leadership: These are your IT directors, your senior leadership and even board members. These are the people that must not only help create the vision, but also generate buy-in from the rest of the organization. The message here is fairly simple: if leadership is disinterested in security—or worse, fails to abide by the procedures they help create—a program has little chance to succeed.
An organization’s leaders must also avoid fostering a culture of blame around cybersecurity. Too often in recent years breaches have led to firings or resignations from C-level executives. While some incidents may warrant personnel changes, in many instances the best thing an organization’s senior leaders can do in the wake of an incident is to pull together and determine how to remediate the situation and ensure it doesn’t happen again.
Third-party consultants: Between managing technologies and infrastructure; identifying qualified candidates to hire; conducting daily operations; and dealing with governance and compliance challenges, security can be expensive and time-consuming.
For most organizations, investing in an entire security team is just not feasible. Security consultants can help augment internal teams and bring valuable experience to a security infrastructure project or incident. They can also free up internal IT staffers to focus less on “run” tasks and more on forward-facing security initiatives.
The Next Element
As I mentioned earlier, the three foundational security elements are interdependent, so check out the third installment of this series, which focuses on policy and process.
I encourage you to read the entire blog series where we discuss how you can implement a strategy that allows your business to operate confidently and without fear: